In the summer a leading sector supplier revealed that data was removed from its system and below we explore what an event like this means for the institutions affected.
Cyber-crime, including scenarios where ransoms are demanded to decrypt data or destroy improperly taken copies, is a fact of life. The news that Blackbaud was subject to an attack comes as a reminder that the Higher Education (HE) sector is not immune. The scenario, that a cloud provider is attacked but recovers data, is a challenging one for governing bodies. It is specific enough to engage a very particular application of rules and requirements but at the same time is the sort of scenario for which ideally they should be prepared.
Under data protection law, an online provider of cloud based services is usually a "data processor" to the charity as "data controller".
When engaging processors, the GDPR requires universities to:
Processors are required by the GDPR to report breaches to the controller "without undue delay" but in our experience this does not always happen. If you have not been contacted by your processor about a data incident, and if you are aware of one involving them, it is prudent to check with them whether your data has been involved.
As a priority, higher education institutions (HEIs) told that their data may be involved should establish from the processor assurances about extent of loss, what data was involved and whether the data is now secure.
As the HEI is the controller, it is its responsibility to report the data breach to the Information Commissioner's Office (ICO) "unless the breach is unlikely to result in a risk" to individuals. If it meets the threshold for reporting, a breach must be reported within 72 hours of the HEI becoming aware. Even if the data processor has made its own voluntary report to the ICO, reporting, if required, remains the HEI's responsibility. Not all breaches are reportable and universities should consider carefully whether the circumstances warrant reporting.
If an HEI does decide to report a breach to the ICO in circumstances where the breach was caused by a processor, then it should check to make sure that the three steps outlined above were taken. The ICO is far less likely to take enforcement action against the HEI if the arrangement is compliant and appropriate checks were carried out by the HEI on the processor. The ICO has previously fined controllers that did not do enough to check their contractor's compliance.
An HEI will also need to consider reporting to affected data subjects. The threshold here is higher than it is for reporting to the ICO. Data subjects only need to be told if the breach represents a "high risk". However, it can sometimes be prudent to inform individuals even where the legal threshold has not been met, for example, if there is a risk that the breach will become public knowledge then it may be better reputationally if the HEI is seen to be transparent and proactive, rather than individuals finding out later that their data had been compromised. Many HEIs affected by the Blackbaud data hack reported to data subjects, probably more for reputational reasons and as they wanted to be on the front foot because students were asking HEIs whether they had been affected, rather than on the basis of high risk to the data.
There are other points to consider, for example, whether to notify the police. Insurers should also be involved.
More easily overlooked is the need to report a serious incident to the Office for Students (OfS) as the principal regulator. For HEIs which are registered with the Charity Commission (CC), a report will also need to be made to that regulator.
Reportable serious incidents are adverse events, actual or alleged, involving or risking significant harm to the HEI, its work, property, assets or the people it comes into contact with. A decision whether or not to report - the reasoning for which should be recorded - is typically made with close reference to the OfS's guidance (and, if relevant, the CC's guidance) on reporting serious incidents. It will often involve exercising judgment, guided by the guidance, about whether the threshold of significant harm is met.
Reports to the OfS must be made promptly, as soon as is reasonably possible or immediately after the HEI is aware. Depending on circumstances, this could be more stringent a requirement than a fixed deadline.
Where data breaches are concerned, governing bodies can often short-cut deliberations about the significance of harm. A list of examples published by the OfS specifies a data breach reported to the ICO as a reportable serious incident. If the matter is reported to the ICO, then it follows that the HEI should also consider whether a report should be made to the OfS.
Most HEIs are exempt from registration with the CC and thus do not need to deal with it as a regulator. However, there are some HEIs which are registered charities and in those cases a serious incident report should also be made to the CC in the circumstances discussed above.